Frequent e-mail warnings sent to the employees of E.W. Bullock Associates were not enough to prevent one of them from getting snagged by a phishing scam.
“I e-mailed everyone in the office many times warning them about phishing scams and advising them to never follow a link in an e-mail,” says Brandi Thompson, Internet account manager for the Pensacola-based marketing firm. “But, it still happened.”
An associate provided bank and credit card information in response to an e-mail saying her account information had been compromised. Thompson overheard the associate sharing her story with the company’s receptionist.
“I told her to stop and not respond to anything, but it was too late,” Thompson says. “She immediately called the bank and credit card company to change all account numbers. I think that she headed off further damage by changing the numbers so quickly.”
Despite constant warning and common sense, criminals lure consumers – or “phish” for suckers – into revealing personal and financial information more often than not. Fifteen million Americans were victims of phishing attacks during a 12-month period in 2005-06, according to Gartner Research, providing independent research and analysis to the global IT industry.
And unfortunately, it’s happening in the workplace. But employees responding to e-mails aimed at identity theft aren’t the only way spammers crack a system. “Pharming,” a somewhat newer scam in which online thieves redirect traffic from a legit Web site to a fake, also has victims willingly handing over private financial info.
Businesses under Attack
Both phishing and pharming have the potential to damage your company’s image and reputation. If your name is somehow connected to a scam, even as its victim, your image and reputation are on the line and you’ll awaken to a potential public relations nightmare.
The fact is, your Web site could be host to illegal activity right now.
It happens to about 50 sites a day, says Chris Cain, lead analyst for AppRiver, a Gulf Breeze, Fla.-based e-mail security firm providing spam and virus protection to more than 10,000 businesses worldwide.
“A criminal will bury an illegitimate Web page deep in the structure of a business’s site to avoid detection for as long as possible,” Cain says. “The site is not defaced, so owners of the domain name rarely notice a problem until many people have entered sensitive data – such as bank account information – and fallen victim to the scam.”
Or maybe you’ve been hijacked.
Pharming is an even greater challenge. Pharmers take control of your domain name, which is also a behind-the-scenes number string that represents your Web address and identifies your computer to other computers on the Internet.
Your company’s Web address may appear in the browser and the Web page may match yours, but the user has been taken to a different domain. And neither you nor your customers know it’s happening.
Online Scams Take Many Forms
Most of the destructive cons on the Web are variations on the same theme. Here are some to watch for:
The Hit Man: You get an e-mail containing some of your personal information. It says you’re on a hit list and will be killed unless you pay the sender, who poses as an assassin. A response to this e-mail may trigger the “assassin” to send a more threatening e-mail. If it all sounds too close for comfort, take it to the police.
Work at Home: From envelop stuffing to keeping the books of a foreign company in the comfort of your own home, beware of unsolicited job offers. If you didn’t apply, it’s not likely that a stranger – especially on another continent – is going to offer you a legitimate job by e-mail.
Job Hunt: Criminals harvest e-mail addresses from legitimate job-search sites and offer lists of companies with open positions. The victim pays a fee to access the list – which is outdated, unrelated to the recipient or never arrives.
Sob Story: This scam takes many forms, but in each case appeals to your compassionate nature – or your greed. Please, kind stranger, send money hungry orphans or (fill in the blank). Or send us your bank information and/or large but necessary fees to help get money in or out of a war-torn or otherwise troubled country and you can believe absolutely that you’ll get a generous cut of some major cash.
Pump and Dump: Spammers “pump” out millions of spam e-mails with “hot tips” for investing in a real but obscure company with assurance that it’s ready to break out big. The suckers “dump” their money into the stock offering. But before sending the spam, the scammers buy up shares in the company. Once victims fall for it all, the stock price soars, the spammers cash in and the price nosedives.
Lottery: An e-mail excitedly declares you the big winner of a lottery you’ve never heard of. Just send this personal info, they say, and your huge winnings will be mailed. The check arrives, looks quite real, you deposit and start drawing on it. But your account is compromised, and you’re soon buried in overdrafts and accusations of check fraud. “You never win a lottery you didn’t enter,” Cain says. “You aren’t notified of winnings through an e-mail. Basically, if it sounds too good to be true, it probably is.”
How to Protect Your Business
Despite efforts to eliminate, or at least cut back on the amount of online fraud, the bad guys keep inventing new ones.
The CAN-SPAM Act of 2003 and the Anti-Phishing Act of 2004 were enacted to fight such rip-offs, but criminals don’t pay a lot of attention to the law.
So you need to protect your business. A variety of hardware, software and anti-spam services exist to protect against potentially harmful attacks. For instance, you can attach a spam firewall to your in-house e-mail server. Or you can hire a security company: AppRiver, MessageLabs, Postini and MX Logic offer monthly service plans to keep spam and viruses out of customer’s in-boxes and hackers out of your servers.
But you still need to share these tips with everyone in your company:
- Never log in to your bank account from a link you get by e-mail.
- Always look for a small padlock symbol in the lower right corner of your browser window before entering sensitive information at financial and e-commerce Web sites.
- If you get an e-mail asking for sensitive financial information, call the number on your regular statement, not one included in the e-mail.
- Ignore surveys included in enter-to-win campaigns.
- Thoroughly research work-at-home “opportunities” by going directly to the Web site and logging into the company’s system.
- Get good spam protection; don’t rely on your Internet service provider.
Other Resources to Protect your Business: